Thousands of high-risk chemical facilities are ill-protected from potentially disabling cyber attacks due to out-of-date federal training guidelines formulated to secure the plants, the Government Accountability Office (GAO) found in a new review.
The federal watchdog found that the Department of Homeland Security’s Chemical Facilities Anti-Terrorism Standards (CFATS) program, which steers some 3,300 chemical installations to meet cybersecurity standards, has not been updated in more than a decade and lacks a routine review process. (Note: The House Homeland Security Committee last year approved a bill to renew the CFATS program before it expires in July but the legislation has yet to receive a floor vote).
“A successful cyber attack against chemical facilities’ information and process control systems can disrupt or shut down operations and lead to serious consequences, such as health and safety risks, including substantial loss of life,” the GAO said. “Adversaries could potentially manipulate facilities’ information and control systems to release or steal hazardous chemicals and inflict mass casualties to surrounding populations.”
DHS and its cyber wing, the Cybersecurity and Infrastructure Security Agency (CISA), have repeatedly warned about attacks against the nation’s critical infrastructure. Three months ago, CISA cautioned critical infrastructure operators to guard against cyberattacks following a ransomware attack launched against a natural gas compression facility that encrypted data across the facility’s networks.
GAO concluded that the CFATS program, which trains inspectors to inspect, does not:
- Collect or track data on inspectors’ cybersecurity training or knowledge, skills, and abilities.
- Assess how training contributes to cybersecurity related program results.
- Establish a process to evaluate the effectiveness of its cybersecurity training in improving inspector skills.
In addition, the program has not incorporated the cybersecurity knowledge, skills and abilities required of inspectors in its current workforce planning processes, GAO said.
The agency made six recommendations to improve DHS oversight of chemical facilities:
- Document a process to review and revise its guidance at regular intervals.
- Assess whether its cybersecurity training is improving program or performance goals.
- Track delivery and performance data for its cybersecurity training, such as completing courses, webinars, and refresher training.
- Develop a plan to evaluate the effectiveness of its cybersecurity training, such as collecting and analyzing course evaluation forms.
- Develop a gap analysis of the program’s capacity and capability to perform its cybersecurity-related functions, and the resources to address them.
- Maintain information about the cyber integration levels of covered chemical facilities and inspector cybersecurity expertise.
DHS concurred with all six recommendations laid out in the GAO report. “Cybersecurity is an integral part of DHS’s national approach to chemical security,” DHS official Jim Crumpacker wrote in response to GAO. (via The Hill) “The Department remains committed to ensuring that high-risk chemical facilities are implementing appropriate physical and cyber security measures.”
